Although we all ensure that all data in an Android phone is erased before we sell or dispose a phone, it is not a safe method and researches have proved that.
As per a new study, it was found that sensitive user data is never completely wiped off with a factory reset and can be retrieved again. The research team took a sample of 21 used Android phones which were using the Android OS 2.3.x – 4.3 (Gingerbread to Jelly Bean) and they were able to retrieve all the emails, messages, access credentials of various websites etc. even though the phones were factory reset before they had their hands on them.
Laurent Simon and Ross Anderson, researchers at the University of Cambridge, United Kingdom, tried this between January and May 2014 by purchasing used Android devices from eBay including several popular gadgets from Samsung, HTC, Motorola, LG and three phones from Google’s Nexus lineup.
They could recover the Google master token from nearly 17 devices, using which they could re-synchronize the device and the Google account of the previous user, which gave them access to all the emails, contacts and messages that were backed up in their Google account.
Also, with the access tokens from recovered apps like Facebook, they managed to retrieve the past data of different instant messaging apps.
Although there are several reasons why new phones outperform their previous counterparts, it is a general notion that Google’s lineup of phones are better than any other manufactures, as stated by Ross Anderson in his blog post. He also urged the need for manufacturers to work up more on the security aspects.
The best option is to encrypt the phone, but it does not solve the problem entirely. Brute-force can be used to decrypt any encryption key that was used prior to a factory reset in phones. Hence, it is best recommended that users make use of a strong password rather than using PINs to secure their phones.
As per research conducted, it was found that nearly 500 million devices are vulnerable and data can be retrieved from them, and 630 million devices do not erase memory card where users often store their private photos and videos, which lets other people access all their sensitive data with much ease.
Also, anti-theft aspects such as locking a remote device or wiping off does not ensure of a clean memory card or phone memory even though it is wiped using a mobile security app. This is because the formatting procedure is confined based on the OS of the phone and even the third party security apps would not be able to help much.
Hence, it is best recommended that you wipe the data off your phone by following the procedure described by the phone manufacturer.
Also, there is no information available about whether Google has changed the problem after Jelly Bean or not. Google did not make any comments on this issue.
How to wipe the user data entirely off the Android device?
The best method recommended by security experts is that you format the phone first, then load it with dummy data, and then format it again so that even when someone tries to retrieve the data, only the dummy data loaded for the second time would be visible, thereby securing your original data.
Check out this step-by-step article with details on how to do that.